IAB UK sets out actions to address ICO’s real-time bidding concerns
Posted on: Thursday 09 January 2020 | IAB UK
In response to the ICO’s ‘Update report into adtech and real time bidding’, published in June 2019, IAB UK has set out a series of actions designed to help companies engaged in RTB to understand and meet their data protection and privacy compliance obligations in practice.
The ICO’s report summarised the findings of its review of the use of personal data in the real-time bidding process in terms of the relevant provisions of the GDPR and ePrivacy legislation. Following its publication, the regulator announced a six month period for further industry engagement and for the industry to respond to its findings.
This process has been led by IAB UK and its members, along with IAB Europe and IAB Tech Lab where appropriate. As a result, IAB UK has committed to a series of actions on six key issues raised in the ‘Update report’, to help improve standards of compliance. These are summarised as follows:
Data security: IAB UK will develop good practice guidance covering security, data minimisation and data retention, and work with IAB Europe to explore how the requirements in the Transparency and Consent Framework (TCF) policies could be enhanced to support such good practice.
Special category data: A range of actions to be taken, including developing UK-focused guidance on the Content Taxonomy, education for the industry on special category data restrictions and requirements (developed with other relevant trade bodies, particularly on the buy-side), and work to identify potential controls to minimise risks arising from the content of referred URLs in bid requests.
Reliance on legitimate interests for cookies: IAB UK is committed to educating its members on the consent requirements of UK ePrivacy regulations, with reference to the ICO’s current cookie guidance, and promoting the use of the TCF, where appropriate, for obtaining this consent in a compliant way.
Legitimate interests assessments (LIAs): IAB UK will educate its members on LIA requirements, taking into account the outcomes of a joint (ICO/IAB Europe/IAB UK) review of anonymised example LIAs, and work with IAB Europe to develop resources to support companies to meet these requirements in practice.
Data Protection Impact Assessment (DPIAs): IAB UK will educate members on DPIA requirements and encourage them to review their processing operations in light of the ICO’s existing guidance. It will also identify whether additional guidance is needed for the industry, and work with other relevant trade bodies as they develop their own DPIA approaches and guidance.
Transparency and fairness of information provided to consumers: IAB UK will engage with IAB Europe on the outcomes of ongoing discussions about potential changes to TCF policies with respect to Consent Management Provider user interfaces, and then decide on any further action.
You can read the full response here. In addition to the actions outlined above, IAB UK also identifies areas where further discussion is needed before a clearer position and consensus can be reached. The ICO is expected to provide a further update on its position in the coming weeks, once it has reviewed all relevant responses.
Simon McDougall, the ICO’s Executive Director for Technology and Innovation, said: “Our ‘Update report’ documented our concerns with how personal data is processed using RTB, and our subsequent engagement work with the adtech industry has largely validated these concerns. We’re very pleased with the engagement we’ve had so far and, while we still have a long way to go, we’re optimistic that an industry-led solution is possible. We look forward to continuing our constructive discussions with the IAB and the industry as it implements the proposals made.”
Christie Dennehy-Neil, IAB UK’s Head of Policy and Regulatory Affairs, added: “It’s now critical that we work together with our members to implement change. This needs everyone – advertisers, intermediaries and media owners – to work with us, and to be willing to take action and invest in making changes where necessary.”
Digital Advertising Guidance: DPIAs under the GDPR
Data protection impact assessments: When are they required? And what does a good DPIA process look like for the digital advertising industry?Learn more
The Broken Privacy Shield: What to do now
Any company that has been relying on the EU-U.S. Privacy Shield Framework to transfer personal data from the UK to the U.S. will no longer be able to do...Learn more
Webinar: Update on IAB UK’s response to the ICO report
In December, we published our response to the ICO’s ‘Update report into adtech and real time bidding’, setting out our plan for action in six key areas...Learn more
Digital advertising guidance: special category data under the GDPR
What is special category data, how might it arise in digital advertising, and what are the restrictions on its processing under the GDPR?Learn more